This thread is still alive? :)
What you see is what you include. André was mistaken. That is the lesson. And there is
no danger. If there was, folks would have stopped using PHP long ago.
In my case, I'm hijacking my own script on another server. I'm doing it only because I
don't have access to MySQL on server #1 so I hijack my script on server #2 to permit
server #1 to output to screen what I wanted to be able to do in the first place. I
screamed loud enough and ISP finally gave me access to MySQL, at no extra cost.
Because of a very handy firewall, I cannot access server #2's mysql server from #1. No
regrets.
Raditha Dissanayake wrote:
> Nope i see the server parsed output. Try loading the url directly in
> your browser!! what you see is what you get when you include.
>
> Adam Bregenzer wrote:
>
> >On Sun, 2004-02-08 at 08:27, Andrew Séguin wrote:
> >
> >
> >>A test to confirm that, is to point the browser to the address being
> >>included. See the source? vulnerable. See the results? not vulnerable.
> >>
> >>
> >
> >If you do not see 'source' then what are you including? For example the
> >following script could be included remotely:
> >
> ><?php
> >echo <<EOF
> ><?php
> >\$sql = "SELECT * FROM table WHERE id = $number";
> >?>
> >EOF;
> >?>
> >
> >If you were able to do include the above source with:
> >include("http://somewhere.com/file.php?number=123";);
> >You could include and see php code. Not the original but something that
> >is still useful. include() includes php code, if you can include a file
> >from a remote source you can view it with a browser. What you say is
> >true:
> >"See the source? vulnerable. See the results? not vulnerable."
> >Of course if you can not see it you also can not include it remotely.
> >
> >As a side note it is safer to put includes outside the web path. An
> >overflow or some other bug may be found that would bypass processing of
> >.php files (or a different bug could be exploited to write a .htaccess
> >file in that directory). If you have the option to move includes to a
> >different directory it is more secure.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
